Solid-state memory device

ABSTRACT

The invention relates to a semiconductor storage device with a large number of storage cells (3), arranged on a semiconductor substrate at intersections of bit lines and word lines, which, for programming with data contents, can be driven by means of a word-line drive circuit (4) and a bit-line drive circuit (5). Enable storage cells (12, 14), arranged along an enable bit line (9, 10, 13) and driveable by means of an enable bit-line drive circuit (11) which is arranged and can be driven separately and independently of the bit-line drive circuit (5), are assigned to the storage cells (3) of a word line and can have an enable value applied to them in order to enable the storage cells (3) of a predetermined word line.

BACKGROUND OF THE INVENTION FIELD OF THE INVENTION

The invention relates to a semiconductor storage device with a largenumber of storage cells, arranged on a semiconductor substrate atintersections of bit lines and word lines, which, for programming withdata contents, can be driven by means of a word-line drive circuit and abit-line drive circuit.

A semiconductor storage device of this type finds a preferredapplication in so-called smart cards, that is to say identity cards,credit cards, account cards and the like, which are equipped with anintegrated circuit having a microprocessor. The producer of a smart cardcan equip the microprocessor with a permanently stored operating systemwhich undertakes basic functions, for example procedures for comparingan externally input code with a stored code, and the like. Further tostoring the operating system, the memories inside the smart card, whichare assigned to the microprocessor, are also used for storing specificapplications and parameters which, for example, are required for thesecurity check and must in each case be kept secret. A smart card ofthis type can be employed for varied applications if, by the producer, asuitable operating system with associated programs is provided, specificsuitable interfaces are provided and a memory or a storage area isreserved for one or more imported application programs. In this way, thecard producer can provide the user of the smart card with a memory orstorage area for programming an imported user program. In a userprogram, it is, for example, possible to establish special operationswhich run independently of the operating system and relate merely to thespecial data-processing operations of the user. With one smart cardconfiguration which can be used in a particularly varied way, provisionmay furthermore be made for a plurality of different users to storetheir corresponding programs in the smart card independently of eachother.

In each case, as with all security-critical data-processing systemswhich, for example, are used for processing data which are confidentialor have monetary value, special protection must be provided against datamanipulation or unauthorized data access. It must therefore be ensuredthat security-relevant data, which form a component of the operatingsystem or of the individual user programs, are protected fromunauthorized access. In the case of a credit card as an example of asmart card, which comprises an integrated circuit with a non-volatilememory (for example an EEPROM or a ROM) and a microprocessor,safeguarding from manipulation requires that a user program stored inthe non-volatile memory does not have uncontrolled access to other userprograms or operating-system routines, which are likewise held in thenon-volatile memory.

The prevention of this type of access can be ensured by a securitycircuit for memory access supervision which has been disclosed, forexample, in DE 41 15 152 A1 or U.S. Pat. No. 5,452,431.

In this regard, essentially three different measures are explained in DE41 15 152 A1. In a first measure, the addresses, at which the userprogram starts in the storage area is stored in two auxiliary registersin the represented circuit, before execution of the user program storedin the EEPROM. During the program execution, continuous comparison ismade between the current address-bus value and the first auxiliaryregister, and between the program counter value and the second auxiliaryregister. A first comparison is used to determine whether a user programis active. A second comparison is used to conclude whether a permissibleaddress range for the user program is actually being employed. If a userprogram is active and is not operating in a permissible range, a resetsignal is triggered in the microprocessor. This measure has thedisadvantage that the circuit requires additional auxiliary registersand comparators for n bits, n representing the address-bus width. In asecond measure, it is proposed to supervise the program counter and theaddress-bus value using an additionally provided monitoring processorwith its own memory. As in the first measure, a reset signal istriggered if a user program accesses an unpermitted address range. Thiscircuit has the disadvantage that an additional processor with memory isrequired. In a third measure, or circuit, each storage area to beprotected separately has different most-significant address bits(block-select bits). Before execution of the user program stored in aPROM block, the block-select bits are stored in an auxiliary register.During the program execution, the most-significant current address-busbits are stored continuously in a second auxiliary register and comparedwith the first auxiliary register. If the contents of the auxiliaryregisters are different, it is concluded that the active user program isaddressing another program storage area in a manner which is notpermitted. A reset signal is consequently triggered. This circuit hasthe disadvantage that, for a small number of bits (for example twobits), only a rigid and uniform relatively coarse block subdivision ispossible (for example a quarter of the total memory). Furthermore, onlya continuous storage area can be allocated to an imported program. Theimported program with the greatest program-memory requirement thereforedetermines the block size for the other imported programs as well, sothat the use of memory is overall unfavourable.

U.S. Pat. No. 5,452,431 discloses a security circuit for memory accesssupervision, in particular for application in smart cards, in which thestorage area of the EEPROM is subdivided into a repertory region ZR andan application region ZA, as well as a public region ZT. The variousstorage areas ZR, ZA and ZP are driven separately by means of anaddress-control circuit, in such a way that respectively determinedaddress ranges are assigned to the individual storage areas, and fixedaddress limits are predetermined. The commands for writing, reading anderasing the respective storage areas can be blocked or enabled by theaddress-control circuit in predetermined frameworks. The disadvantage ofthis circuit resides in the fact that the distribution of the memory isfixed with the production of the EEPROM and can no longer be altered bythe user.

SUMMARY OF THE INVENTION

The object of the present invention is to provide a circuit which, bysimple measures, ensures that an imported program can access only thosestorage areas which are expressly permitted for access, and whichsimultaneously allows flexible distribution of the permitted storageareas to various applications.

This object is achieved by a semiconductor storage device according toclaim 1.

According to the invention, provision is made that enable storage cells,arranged along an enable bit line and driveable by means of an enablebit-line drive circuit which is arranged and can be driven separatelyand independently of the bit-line drive circuit, are assigned to thestorage cells of a word line and can have an enable value applied tothem in order to enable the storage cells of a predetermined word line.

The circuit according to the invention is based on a special arrangementof a semiconductor memory, which allows simple supervision of the memoryaccesses and, simultaneously, flexible distribution of the memory or thestorage areas to various applications. In addition to the setting of aflexible memory size, the invention also provides the advantage of freeabsolute positioning of the allocated memory areas in the address spaceof the user programs, so as to allow optimum use of the memory capacitywhich, in particular for smart cards, is of only limited availability.The invention simul-taneously allows, with comparatively littleadditional outlay on circuitry, reliable protection from unauthorizeddata manipulation or unauthorized data access, it being possible tocarry out supervision of the data memories, in addition to supervisionof the program memory.

The basic principle of the invention is to expand the word lines of aprogrammable semiconductor memory by m bits which do not lie in thenormal address space and which contain information regarding the accessrights relating to the data stored in the normal word-line bits (page).In the case of a number of m bits for the enable-storage cells, it ispossible for 2^(m) applications, that is to say program or data areas,to be implemented separately of one another.

In a preferred embodiment of the invention, provision may be made thatthe storage cells, arranged along the intersections of bit lines andword lines, and the enable storage cells, arranged along intersectionsof word lines and enable bit lines, are driven in common by means of aword-line driver circuit provided in the word-line drive circuit. Inthis case, it is furthermore possible for a common address-decodercircuit to be provided for addressing both the storage cells and theenable-storage cells.

The invention therefore relates to a specially structured memory, andthus not to a so-called standard memory, in which, in addition to normalcells, the storage cells presently referred to as enable cells areprovided by the manufacturer, the enable storage cells being coupled tothe usual word-line drivers; the word-line drivers and address decodersare therefore provided in common for the normal cells and the enablecells, which saves a considerable amount of area. The different drivingof normal and enable cells takes place merely using different bit lines.

In a further refinement of the invention, provision may be made that amicroprocessor circuit is provided for executing an operating-systemprogram and at least one user program, which microprocessor circuit, oncalling or executing an initialization program, outputs to the enablebit-line drive circuit a control signal by means of which a storage areaof the semiconductor storage device, allocated to the user program, canbe activated. The enable cells of the additionally provided enable bitlines are not addressed in normal fashion, but are set by aninitialization circuit. In this case, the initialization may, forexample, be arranged in such a way that it is possible only once whenloading the operating system, and thereafter the reservation of theadditional enable cells of the enable bits can no longer be changed. Inthe case of one additional enable bit per page, that is to say m=1, twostorage areas can be separated, for example for two different userprograms. The number of pages which a user program reserves is in thiscase arbitrarily selectable. Likewise, the positioning of the userprogram in the total storage area can be set flexibly, it being evenpossible for an interleaved distribution of the storage areas to takeplace.

Preferred developments of the invention are given by the subclaims.

Further features, advantages and expedient features of the invention aregiven from the description of illustrative embodiments with the aid ofthe appended drawing.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1A shows a schematic representation of an electrically erasable andprogrammable semiconductor memory for explaining the basic mode ofoperation of the invention;

FIG. 1B shows a simplified block representation of the semiconductormemory according to the invention represented in FIG. 1A;

FIG. 2 shows a schematic representation of a circuit according to oneillustrative embodiment of the invention;

FIG. 3 shows a schematic representation of a circuit according to afurther illustrative embodiment of the invention;

FIG. 4 shows a schematic representation of a circuit according to afurther illustrative embodiment of the invention;

FIG. 5 shows a schematic representation of a circuit according to afurther illustrative embodiment of the invention;

FIG. 6 shows a schematic representation of a circuit according to afurther illustrative embodiment of the invention; and

FIG. 7 shows a schematic representation of a circuit according to afurther illustrative embodiment of the invention.

DESCRIPTION OF THE PREFERRED EMBODIMENTS

FIG. 1A shows the structure of an electrically alterable read-onlymemory 1 (EEPROM=Electrically Erasable Programmable ROM), the advantageof which, as is known, consists in the fact that the integrated circuitis erasable and reprogramable, without needing to be removed from theuser device, and that each individual byte of the memory can be erasedand written separately many times. Erasing takes place using anelectrical pulse. The storage element used is cells 2 with a controlelectrode and a floating intermediate electrode, which acts as a chargestore. The mode of operation of a read-only memory of this type isbasically known and shall not be explained in further detail here. Thenormal storage cells 3 of the semiconductor storage device 1 arearranged in a large number at intersections of bit lines BL and wordlines WL, and can be driven by means of a word-line drive circuit 4 anda bit-line drive circuit 5 in the manner which is familiar to the personskilled in the art. An address bus 6 and a data bus 7 are provided, onwhich the addresses or data are transported between the various circuitcomponents. For the sake of clarity, only one line each is shown for theaddress bus 6 and the data bus 7, although a large number of lines, forexample 16 lines, are actually provided. It is equally well possible forthe bus system to consist of only one line, in which case the addressesand the data are processed using the time multiplex method. FIG. 1Arepresents only four word lines WL0 to WL3 of the generally very largenumber of word lines, and only four bit lines BL0 to BL3. The referencenumber 8 schematically denotes an address decoder, the structure andmode of operation of which is also familiar to the person skilled in theart and shall therefore not be explained in further detail.

The security circuit according to the invention is based on a specialarrangement or design of the memory 1 according to FIG. 1A and FIG. 1B,which allows simple supervision of the memory accesses and a flexibledistribution of the memory 1 to various applications. The basicprinciple of the invention is the expansion of the memory word line by mbits, which do not lie in the normal address space, and which containinformation regarding the access rights relating to the data stored inthe normal word-line bits (pages). To this end, m additional bit lines 9and 10 are provided, which are referred to hereafter as enable bitlines, and can be driven via an enable bit-line drive circuit 11independently of the (normal) bit-line drive circuit 5. At theintersections of the (normal) word lines WL0 to WL3 and the additionallyprovided enable bit lines 9 and 10, enable storage cells 12 areprovided, which need not be distinguished in terms of structure and modeof operation from the normal storage cells 3 and can therefore beproduced together with the normal cells 3. Enable values are temporarilyor permanently stored in the enable storage cells, in the manner whichis yet to be explained below, and are used for enabling the (normal)storage cells 3 of one or more predetermined word lines WL0 to WL3.

FIG. 2 shows a first illustrative embodiment of the invention, in whicha single enable bit line 13 is provided with enable storage cells 14,that is to say m=1. The data contents of the enable storage cells 14 ofthe one enable bit line 13 are not addressable as for the (normal)storage cells 3, but are set by an initialization circuit (notrepresented in further detail in the figures) provided in the enablebit-line drive circuit 11. The initialization may in this case, forexample, be arranged in such a way that it is possible only once whenloading the operating system. Thereafter, the reservation of theadditional enable bits (1 bit per page) can no longer be changed. In thecase of one bit per page (m=1), two storage areas 15 and 16 can beselected separately from each other, for example for two different userprograms. The number of pages which a user program reserves is in thiscase arbitrarily selectable. Likewise, the positioning of the userprograms in the total storage area is flexible, it even being possiblefor them to be distributed in interleaved storage areas. The storagearea 15 is, for example, allocated by writing a logical zero incorrespondingly assigned enable storage cells, while the storage area 16is defined by writing a logic value 1.

Assigned to the semiconductor memory 1 is a microprocessor circuit 17 inwhich the operating system and the user programs are called or executed,and which is connected via the address bus 6 and the data bus 7 tofurther memories and registers, for example RAM, ROM or EEPROM memories,which are denoted together by the reference number 18 for the sake ofsimplicity. The operating system running in the microprocessor 17 hasthe highest hierarchy level, whereas user programs are subordinate. Whencalling a user program, a control signal is set by the microprocessor 17and is applied to a line 19. This process can only be initiated by theoperating system. In this way, the user program can be active only inthe storage area allocated to it. The control signal of themicroprocessor 17 therefore indicates whether a user program is active.Without further auxiliary registers, this control signal is compared insimple fashion with the current extra bit of the enable bit line 13. Tothis end, a comparator circuit with an inverter 20 and a AND gate 21 isprovided, which are connected in the manner visible in FIG. 2.Intermediate storage of all or some of the address is not required. If auser program is active and accesses an unallowed address range, a resetsignal is triggered on the line 22 in the microprocessor 17. It is,however, likewise possible not to reset the microprocessor with thecontrol signal, but to trigger another suitable action.

FIG. 3 shows a second illustrative embodiment of the invention, inwhich, in comparison with the first embodiment, m additional enable bitlines 13 are provided in a more general fashion.

As in the first illustrative embodiment, the m additional bits for wordline WL0 to WL3 are not normally addressable, but are set by aninitialization circuit. The initialization circuit for the additionalbits of the enable bit lines can, for example, be integrated within theenable bit-line drive circuit 11 (see FIG. 1A). The initialization canin this case again be arranged in such a way that it is possible only asingle time when loading the operating system, and thereafterreservation of the enable storage cells of the additional enable bitlines can no longer be changed. In the case of a number of m enable bitlines, 2^(m) program areas can be separated individually for userprograms, the number of pages reserved by a user program beingarbitrarily selectable, and it even being possible for the positioningof the user programs in the total storage area to be set flexibly, andin particular with an interleaved distribution of the storage areas.Again, the operating system has the highest hierarchy level, whereasuser programs are subordinate. When calling a user program, a group ofcontrol signals, or a control-signal vector, is set on the line 23,which process can only be initiated by the operating system. In thisway, the respective user program can only be active in the storage areaallocated to it. The control-signal vector of the microprocessor 17 inthis case indicates which of the maximum possible 2^(m) applications areactive. Before the start of the respective application, the m-bit valueY assigned to the application is set. The value Y is compared for eachmemory access with the current additional enable bit content X, by meansof a comparator 24. If Y is not equal to X, then there is an unallowedaccess, and as a reaction to this, a suitable control signal, forexample a reset signal, is generated on the line 25 and resets themicroprocessor 17.

FIG. 4 shows a third illustrative embodiment of the invention, which isexpanded in comparison with the second illustrative embodiment by anadditional memory 26 the so-called access-right table memory. Again, them additional enable bits per word line WL0 to WL3 are not addressable inthe normal way, but are set by an initialization circuit. Furthermore,the reservation of the access-right table memory 26 is established inthe initialization phase. The initialization circuit for the additionalenable bits can, for example, again be designed as integrated within theenable bit-line drive circuit 11 (see FIG. 1A). The initialization canin this case likewise be arranged in such a way that it is possible onlywhen loading the operating system. Thereafter, the reservation of theadditional enable bits and the access-right table memory can no longerbe changed. In the case of m additional enable bits, 2^(m) program areascan again be separated, the number of pages reserved by a user programbeing arbitrarily selectable, the positioning of the programs in thetotal storage area being flexible, and an interleaved distribution ofthe storage areas being again possible. The operating system has thehighest hierarchy level, and user programs are subordinate. When callinga user program, a control signal is set, in the third illustrativeembodiment according to FIG. 4, again a group of control signals or acontrol-signal vector. This process can only be initiated by theoperating system, so that in this way the user program can be activeonly in the storage area allocated to it. The control-signal vector ofthe microprocessor 17 again indicates which of the maximum possible 2^(m) applications is active. Before the start of the application, them-bit value Y assigned to the application is set. The value is decodedin the access-right table of the memory 26, which may be a separatememory, albeit with a smaller number of stores. The k entries R1, . . ., Rk assigned to the respective application Y are compared by means ofthe comparator 24 with the current additional enable-bit content X. IfRi is not equal to X for all Ri, then there is an unallowed access. As areaction, a suitable control signal, for example a reset signal, isgenerated on the line 25. The introduction of the access-right tablememory 26 allows arbitrary establishment of the mutual access rights ofthe applications. In this way, it is possible for one application A tobe allowed to access an application B, but, for example, the applicationB not to be allowed to access the application A.

When calling user programs by the operating system, it must be ensuredthat the data-protecting processor-control signals are set in good timeat the start of the application, and are erased again when theapplication is exited. This can be done, for example, in the followingway: if the operating system sets the control signals before the jump tothe user program, then the jump command is marked as part of the userprogram. Likewise, the microprocessor 17 can automatically recognize thejump command in the user-program area, and set the corresponding controlsignals.

FIG. 5 shows a further illustrative embodiment of the invention, whichallows establishment of the action rights of the user programs, such as,in particular, with regard to the actions of reading, writing anderasing. To this end, the semiconductor memory has a number n ofadditional enable bit lines 13a for establishing the possible actions,and a comparator 28 which is connected via a line to the additional nenable bit lines 13a and is in contact via lines 27 and 29 with themicroprocessor 17. During initialization, setting the enable storagecells of the additional enable bit lines 13a establishes which actions auser program is allowed to execute, that is to say reading, writing orerasing in the respectively allotted storage area. In the event ofviolation by the user program of the action status, which is indicatedor predetermined by the microprocessor 17 through the action-statussignal applied to the line 27, a reset of the microprocessor 17 can, forexample, be induced by the control signal output on the line 29 by thecomparator 28.

FIG. 6 shows a further illustrative embodiment of the invention, inwhich the access-right table 26 explained according to FIG. 4 isdesigned, with particularly simple circuit technology, as integratedequally into the enable storage cells of a number of k enable bit lines13 (in this case, k is less than or equal to m).

In the illustrative embodiment represented in FIG. 7, the advantageousfeatures from the illustrative embodiments according to FIG. 5 and FIG.6 are combined.

By virtue of the circuit according to the invention, it is possible tocontrol the access to data-storage areas, in addition to establishingaccess rights for program-code areas.

What is claimed is:
 1. A semiconductor storage device, comprising:asemiconductor substrate; bit lines disposed on said semiconductorsubstrate; word lines disposed on said semiconductor substrate; aplurality of storage cells having data contents and disposed on saidsemiconductor substrate at intersections of and connected to said bitlines and said word lines; a word-line drive circuit connected to saidword lines and a bit-line drive circuit connected to said bit lines fordriving and programming said data contents of said plurality of storagecells; enable bit lines; an enable bit-line drive circuit connected toand driving said enable bit lines separately and independently of saidbit-line drive circuit; enable storage cells disposed along said enablebit lines and driveable by said enable bit-line drive circuit, saidenable storage cells assigned to said plurality of storage cells of saidword lines and having enable values for enabling said plurality ofstorage cells of a predetermined word line, an m number of said enablebit lines provided for selectably reserving a number of 2^(m) programregions of said plurality of storage cells; a microprocessor outputtinga control signal having a value; and a comparator having a first inputconnected to said enable bit lines and receiving said enable values anda second input receiving said control signal from said microprocessor,said comparator generating a comparator output signal if said value ofsaid control signal and said enable values are unequal.
 2. Thesemiconductor storage device according to claim 1, including anaccess-right table memory connected to said comparator and to saidmicroprocessor for storing an access right table for establishing accessrights to said 2^(m) program regions.
 3. The semiconductor storagedevice according to claim 2, wherein said access-right table isintegrated within a number of k said enable bit lines.
 4. Thesemiconductor storage device according to claim 1, wherein said enablestorage cells are connected to said word lines, and said storage cellsand said enable storage cells are driven in common by said word-linedrive circuit.
 5. The semiconductor storage device according to claim 1,including a common address-decoder circuit connected to said bit-linedrive circuit and to said word line drive circuit for addressing bothsaid plurality of storage cells and said enable storage cells.
 6. Thesemiconductor storage device according to claim 1, wherein said enablebit-line drive circuit has an initialization circuit for establishingsaid enable values of said enable storage cells of a respective enablebit line.
 7. The semiconductor storage device according to claim 1,wherein said microprocessor executes an operating system program and atleast one user program, said microprocessor on one of calling andexecuting an initialization program emits said control signal to saidenable bit-line drive circuit so that a storage area allocated to the atleast one user program can be activated.
 8. The semiconductor storagedevice according to claim 7, wherein said microprocessor, on one ofcalling and executing the at least one user program, applies saidcontrol signal via one or more control lines to said comparatorconnected to one or more of said enable bit lines, said comparator emitssaid comparator output signal to said microprocessor should the at leastone user program commit one of an access-right violation, a readviolation, a write violation and an erase violation.
 9. Thesemiconductor storage device according to claim 8, wherein an n numberof said enable bit lines are provided for enabling a reading action, awriting and an erasing action.
 10. A chip card, comprising:asemiconductor storage device, including:bit lines disposed on saidsemiconductor substrate; word lines disposed on said semiconductorsubstrate; a plurality of storage cells having data contents anddisposed on said semiconductor substrate at intersections of andconnected to said bit lines and said word lines; a word-line drivecircuit connected to said word lines and a bit-line drive circuitconnected to said bit lines for driving and programming said datacontents of said plurality of storage cells; enable bit lines; an enablebit-line drive circuit connected to and driving said enable bit linesseparately and independently of said bit-line drive circuit; enablestorage cells disposed along said enable bit lines and driveable by saidenable bit-line drive circuit, said enable storage cells assigned tosaid plurality of storage cells of said word lines and having enablevalues for enabling said plurality of storage cells of a predeterminedword line, an m number of said enable bit lines provided for selectablyreserving a number of 2^(m) program regions of said plurality of storagecells; a microprocessor outputting a control signal having a value; anda comparator having a first input connected to said enable bit lines andreceiving said enable values and a second input receiving the controlsignal from said microprocessor, said comparator generating a comparatoroutput signal if said value of said control signal and said enablevalues are unequal.